Re: F-Secure client with OpenSSH server

From: Mark Moorcroft (list@valleyofspeed.com)
Date: 12/31/01 

From: list@valleyofspeed.com (Mark Moorcroft)
Date: 30 Dec 2001 16:27:05 -0800

slade@shore.net (Richard E. Silverman) wrote in message news:<m1lsn9usbx8.fsf@syrinx.oankali.net>...
> OpenSSH and SSH2 use different key formats; you have to convert it by:
>
> % ssh-keygen -i -f <SSH2 public key file>
>
> This will output a single line, which is what you add to the OpenSSH
> authorized_keys(2) file.

I would like to join this discussion, as I have been attempting to
connect my MacOSX box to my he.net account. It seems the folks at
Hurricane can't get their OSX box connected either, nor do they even
the same versions of SSH/SSL on their various servers, but I
digress...

My OSX box reports ...

"OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f"

and the he.net box says...

"ssh: SSH Secure Shell 2.4.0 (non-commercial version) on
i686-pc-linux-gnu"

The trouble is that even after using the tools on my OSX box to
convert the public keys generated by both systems (the he.net
ssh-keygen does not even have the ability to convert keys), and
placing them where the appear to need to be, the fingerprints never
match. This is the debug from he.net back to my home OSX box...

debug: hostname is 'xxx.xxx.xxx.xxx'.
debug: Unable to open /home/user/.ssh2/ssh2_config
debug: connecting to xxx.xxx.xxx.xxx...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/sshauthmethodc.c:117/ssh_client_authentication_initialize:
Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:117/ssh_client_authentication_initialize:
Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1142/ssh_client_wrap: creating userauth
protocol
debug: Ssh2Common/sshcommon.c:502/ssh_common_wrap: local ip =
xxx.xxx.xxx.xxx, local port = 1540
debug: Ssh2Common/sshcommon.c:504/ssh_common_wrap: remote ip =
xxx.xxx.xxx.xxx, remote port = 22
debug: SshConnection/sshconn.c:1866/ssh_conn_wrap: Wrapping...
debug: Ssh2Transport/trcommon.c:599/ssh_tr_input_version: Remote
version: SSH-1.99-OpenSSH_2.9p2
debug: Ssh2Transport/trcommon.c:789/ssh_tr_input_version: Remote
version has rekey incompatibility bug.
debug: Ssh2Transport/trcommon.c:1120/ssh_tr_negotiate: c_to_s: cipher
3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1123/ssh_tr_negotiate: s_to_c: cipher
3des-cbc, mac hmac-sha1, compression none
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that the host key has just been changed.
Please contact your system administrator.
Add correct host key to
"/home/sevenup/.ssh2/hostkeys/key_xxx_xxx.xxx.xxx.xxx.pub"
to get rid of this message.
Received server key's fingerprint:
xofak-vycof-mozum-kapil-fucyp-sibel-lyseb-sogal-bymic-xxxxx-xxxxx
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Agent forwarding is disabled to avoid attacks by corrupted servers.
X11 forwarding is disabled to avoid attacks by corrupted servers.
Are you sure you want to continue connecting (yes/no)? no
debug: Ssh2Common/sshcommon.c:137/ssh_common_disconnect: DISCONNECT
received: Key exchange failed.
warning: Authentication failed.
debug: Ssh2/ssh2.c:85/client_disconnect: locally_generated = TRUE
Disconnected; key exchange or algorith negotiation failed (Key
exchange failed.).
debug: uninitializing event loop

Here is the debug from home to he.net...

OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 501 geteuid 501 anon 1
debug1: Connecting to pluto.he.net [xxx.xxx.xxx.xxx] port 22.
debug1: restore_uid
debug1: restore_uid
debug1: Connection established.
debug1: identity file /Users/mark/.ssh/identity type -1
debug3: No RSA1 key file /Users/mark/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /Users/mark/.ssh/id_dsa type 2
debug1: identity file /Users/mark/.ssh/id_rsa type -1
debug1: Remote protocol version 1.99, remote software version 2.4.0
SSH Secure Shell (non-commercial)
debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\.
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none
debug2: kex_parse_kexinit:
3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none
debug2: kex_parse_kexinit:
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none
debug2: kex_parse_kexinit:
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 none
debug1: dh_gen_key: priv key bits set: 201/384
debug1: bits set: 522/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /Users/mark/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /Users/mark/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts2
The authenticity of host 'pluto.he.net (xxx.xxx.xxx.xxx)' can't be
established.
DSA key fingerprint is
c6:f1:fb:b6:88:67:a2:b8:a5:a7:a4:29:ef:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? no
Aborted by user!
debug1: Calling cleanup 0x16938(0x0)

Any help appreciated by me (and probably he.net too)

Relevant Pages